Topic | Questions | Answer |
General | Can SSO be used in combination with a normal password login? | No. Our SSO system means that all users for a configured email domain will be required to use SSO to login. |
General | Can I test SSO login before enabling? | Ansarada can enable SSO on a test domain first (e.g. test.example.com). You will need to have a mailbox configured for this test domain, in order to be able accept the invitation email. |
General | What happens when our certificate is due to expire? | Ansarada will need to be notified ahead of time to arrange a manual rollover to the new certificate. We also monitor for upcoming certificate expiry and will notify you if a certificate is due to expire. |
General | Do you support automatic certificate rollover? | No, not currently. We are always considering improvements in this area, so please let us know of your requirements. |
General | Do you support SSO options other than SAML e.g. OIDC, WS Federation? | No, not currently. We are always considering improvements in this area, so please let us know of your requirements. |
Federation | Does the application currently implement or support Federated Authentication via SAML 2.0 or OIDC? | Yes, SAML 2.0 is supported by default. OIDC is not currently supported. |
Federation | Can the application support artifact binding per the SAML 2.0 binding specification? | We support HTTP redirect binding and HTTP post binding. |
Federation | Does the application expose a web-based metadata endpoint for IdP (Identity Provider) consumption? | Yes, we generate a web-based endpoint per customer URL per customer. The endpoint for our customers will be available once the SSO setting up process will start and the needed information will be provided by the customer. Example format from our QA environment: https://auth.au.ansarada.com/samlp/metadata?connection=<unique_identifier_per_customer> |
Federation | Does the application support signed assertions using RSA keys of at least 2048 bits or ECC keys of at least 256 bits in length? | We support RSA keys of 2048 bits. |
Federation | Can the application generate digital signatures using SHA-2 hash functions that produce digests of at least 256 bits in length? | Yes |
Federation | Does the application support HTTP communications over TLS? Which Version of TLS? | Yes, TLS 1.2 and 1.3 |
Federation |
|
|
Federation | Do TLS communications support perfect forward secrecy via ephemeral session key exchange? Do TLS handshakes involve a standard Diffie-Hellman key exchange? | Yes, we support both keyless SSL and Diffie-Hellman handshake. |
Federation | Do TLS communications support strong cipher suites (such as an IANA recommended cipher suite)? | For IANA we support:
For more supported algorithms: |
Federation | Does the application support metadata endpoint monitoring with automated configuration updates? | No, nevertheless we have a status page the monitors Ansarada platform: |
Federation | Does the application support the use of multiple IdP certificates at any given time? | No |
Access Management | Does the application currently implement or support Dynamic Session Management (Claims Based Authorisation)?
|
|
Access Management | Does the application currently implement or support On-Demand Provisioning using SAML Assertion? | Ansarada supports on-demand provisioning using SAML assertion. |
Access Management | Does the application currently implement or support Automated Access Removal after a period of inactivity? | No |
Access Management | Does the application currently implement or support SCIM based automated provisioning and de-provisioning? | No |
Access Management | If SCIM support is not available, is there an alternate provisioning/de-provisioning API available? | No |
Access Management | Does the API support establishment of all roles, including privileged roles (such as access administration, etc.) | No |
Access Management |
|
|
Access Management | How does user access provisioning occur? | AwesomeCompany admin will be able to invite internal and external users to Ansarada platform |
Access Management | Does the application provide alternate access mechanisms that do not require authentications with an IdP (for example, direct access break glass accounts for the restoration of service)? | Ansarada CS has access to Ansarada’s platform customer area. |
Access Management | What is the maximum token validity period time that is accepted by the application? | 60 minutes |
General Implementation | Are any components of the application hosted on public cloud infrastructure, such as AWS, Azure? | Ansarada uses AWS public cloud infrastructure. |
General Implementation | Where is the application IdP (relying party STS) hosted (public cloud, on-prem, other)? | Ansarada uses Auth0 (https://auht0.com) which is hosted at AWS public cloud infrastructure. |
General Implementation | What devices can be used to access the application (PC, MAC, mobile, other)? | Any device with Internet access |
General Implementation | Does the application provide non-web based access points (DB, OS, other)? | No |
General Implementation | What channels can be used to access application (Internet, Internet with IP restriction, leased lines, VPN, other)? | All Internet-accessible application |
General Implementation | Can partner applications (Kira, Luminance, etc.) use SSO to login? | By default, only the products that are part of the Ansarada Platform can use configured SSO. |
Authentication | What is the application login URL? | app.ansarada.com which will redirect the user to a page that hosts the platform login page (dynamic URL) https://auth.au.ansarada.com/login |
Authentication | What URL is used for the change password page (if available)? | Same as the login form |
Authentication | Please list any browser restrictions if any. E.g. IE v11 or higher. |
|
Connectivity Restrictions | Does the Third Party provide the capability to restrict connectivity to the application so that only traffic originating from the AwesomeCompany network is permitted? | Yes |
Connectivity Restrictions | What capabilities are provided to restrict connectivity (e.g. IP restriction via whitelisting or use of Virtual Private Network (VPN))? | IP restriction via whitelisting |
Connectivity Restrictions | Please describe the process for initiating and completing connectivity restrictions with AwesomeCompany and service level agreement (SLA) for establishing that restriction. | An authorised officer of AwesomeCompany to make a request to Ansarada support ([email protected]) requesting connectivity restriction via IP whitelisting, and to which projects it should apply to. The request will be completed within 24 hours. |
Access Administration | Is AwesomeCompany permitted to log into the application and complete access administration? | Yes, if the AwesomeCompany personnel doing this has Administrator access to the deal room or management area that the user who needs to be access managed is in. |
Access Administration | Does the application have any geographical restrictions that govern where security administrator users must be located in order to use the application? | Not as standard. Geoblocking can be applied on a per deal room or per management area basis. |
Access Administration | What are the known limitations or exceptions for your application? | Invitations to deal rooms expire within 900 (nine hundred) days of the invitation being issued. Users must accept the invitation within that time otherwise will have to be issued another invitation. |
Access Administration | How can the AwesomeCompany Security Administrator contact your helpdesk for support related to access administration and related activities? | |
Password Policies | What is the minimum password length? | At least 8 characters |
Password Policies | What is the maximum password age (in days)? | Password time expiration is not supported |
Password Policies | Does the password comprise of lowercase characters (a through z)? | Yes |
Password Policies | Does the password comprise of uppercase characters (A through Z)? | Yes |
Password Policies | Does the password comprise of base 10 digits (0 through 9)? | Yes |
Password Policies | Does the password comprise of special or non-alphanumeric characters (@, #, +, etc.)? | Yes |
Password Policies | What is the password cycle frequency? | The user can’t use the last 5 password
Please see more details: |
Password Policies | After how many consecutive logins, will the account be locked? | We support brute force protection, please see the details below:
|
Password Policies | Does the password contain login ID? | Password cannot contain a part of the user’s email and cannot contain their first or last name.
Please see more details: |
Password Policies | Does the password contain any element of your full name? | Password cannot contain a part of an email or user name (first and last name)
Please see more details: |
Password Policies | Does password include any phrase from the firm maintained blacklist below? | Passwords from the common password lists are not allowed.
Please see more details: |
Other | Can SSO be enabled for AwesomeCompany both internal and external users? |
|
Other | What Ansarada management areas are for? |
|
Other | How can I see who has access to which room? | An admin will be able to log in to any room in the Management Area, and:
On a regular basis, Ansarada will be able to produce a report about users (both internal and external) in all rooms. The following information is available:
|
Other | Does Ansarada support MFA for both internal and external users? |
|
Other | Please let me know the availability of Ansarada application in Azure Gallery. | Ansarada is not available as an application in Azure Gallery, nevertheless, we can configure Azure as an IdP for SSO |
Other | Please confirm are you offering IdP initiated SSO or SP initiated SSO. | Ansarada supports SP initiated flows. IdP initiated flows are not currently supported. |
Other | Can you supply configuration documentation that helps for Microsoft Azure? | We don’t have Azure specific documentation. Our documentation is generic for all IdPs. We recommend configuring a custom Enterprise Application. |
Other | Can SSO be enabled for individual users to test the SSO setup? | Unfortunately, Ansarada doesn’t have the capability to enable SSO for individual users. SSO works for email domains, when a user tries to login with a particular email, our platform detects if SSO is configured for the domain. One option we can suggest is to use a test domain. After successful verification, Ansarada will remove a test domain from the list of available domains for SSO. |